 |
Luigi Auriemmaaluigi.org (ARCHIVE-ONLY FORUM!) |
|
It is currently 19 Jul 2012 12:00
|
View unanswered posts | View active topics
|
Page 1 of 1
|
[ 4 posts ] |
|
| Author |
Message |
|
wes_jin
|
Post subject: XPDF 3.0.1 StreamPredictor::getNextLine stack overflow  Posted: 05 Jan 2008 05:18 |
|
Joined: 05 Jan 2008 04:51
Posts: 2
|
|
Hello,
I've been investigating the bug in XPDF 3.0.1's StreamPredictor::getNextLine function. The relevant code is as follows:
if (nBits == 1) {
...
}
else if (nBits == 8) {
...
} else {
...
bitMask = (1 << nBits) - 1;
inBuf = outBuf = 0;
inBits = outBits = 0;
j = k = pixBytes;
for (i = 0; i < width; ++i) {
for (kk = 0; kk < nComps; ++kk) {
if (inBits < nBits) {
inBuf = (inBuf << 8) | (predLine[j++] & 0xff);
inBits += 8;
}
upLeftBuf[kk] = (upLeftBuf[kk] +
(inBuf >> (inBits - nBits))) & bitMask;
...
}
XPDF does not verify that nComps is less than the size of upLeftBuf.
Therefore, an attacker can create a PDF with an overly long nComps and overwrite the EIP. However, it seems that an attacker is restricted in which address he can use to overwrite the EIP because of bitMask. The third branch of the conditional statement above dictates that nBits is not 1 or 8. Shifting inBuf by the difference of inBits and nBits dictates that nBits must be less than 8. Does anybody see a way of overwriting the EIP with a meaningful return address? I have tried an nBits of 4 that overwrites the lower nibbles of EIP. However, this does not produce an address at which shellcode can be inserted...
Thanks for any advice that you can provide
|
|
| Top |
|
 |
|
|
|
|
|
|
|
|
aluigi
|
Post subject: Posted: 07 Jan 2008 11:39 |
|
Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
|
|
well, here I see at least 2 limitations:
- upLeftBuf[kk] = (upLeftBuf[kk] +... which means that after the buffer finishes the value of upLeftBuf[kk] will be uncertain, hopefully there are zeroes after it
- the bitmask
in the second case (now I talk hypotetically since I have not tested the bug and on what parameters you have control) you can choice between a bitmask from 3 to 0x7f... very very difficult in my opinion
|
|
| Top |
|
|
|
wes_jin
|
Post subject: Posted: 07 Jan 2008 20:53 |
|
Joined: 05 Jan 2008 04:51
Posts: 2
|
|
Thanks for the reply Luigi.
I also have a more general question now about the way you choose targets.
When you are auditing software, do you select programs at random? If not, what criteria do you use?
Thanks
|
|
| Top |
|
|
|
aluigi
|
Post subject: Posted: 08 Jan 2008 14:11 |
|
Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
|
|
partially random.
usually I choose the target (of any of my research, so not only bug finding) during a search or if I see an article on a magazine or any other input which makes me know that program or that simply leads to a new idea or a possible type of bug which can affect that specific program.
Other times instead I watch a specific type of program like a particular type of server or protocol or file format and so on
|
|
| Top |
|
|
|
|
Page 1 of 1
|
[ 4 posts ] |
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
|
|
